RISKS Forum mailing list archives
Risks Digest 28.58
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 31 Mar 2015 23:28:34 PDT
RISKS-LIST: Risks-Forum Digest Wednesday 1 April 2015 Volume 28 : Issue 58 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.58.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: The Apple zero-button mouse -- and related innovations? (PGN) No liability for exchange rate software error by United (Jeremy Epstein) Digital currency risks (William Brodie-Tyrrell) Fraudster escapes jail by forging bail e-mail (Chris Drewe) Manipulating Wikipedia to Promote a Bogus Business School (Newsweek) DDoS against Rutgers University, and perpetrator claims credit (danny burstein) FTC Rules Jerk, LLC and John Fanning Deceived Consumers, Violated FTC Act (Gabe Goldberg) "Washington is coming for your personal data" (Caroline Craig) "Dell support tool put PCs at risk of malware infection" (Lucian Constantin) "Cisco IP phones open to remote eavesdropping, calling" (Lucian Constantin) Australia passes data retention into law (Lauren Weinstein)D Re: Jurisdictional risks (Doug Montalbano) Re: Kali Linux security is a joke! (Ian Jackson) Re: House Judiciary Committee tries to be cool, fails oh so miserably (Devon McCormick) Re: As We Age, Smartphones Don't Make Us Stupid ... (Rob Slade) Re: "GoDaddy accounts vulnerable to social engineering and Photoshop" (Craig Burton) Re: Software says "'Dr' Must Be Male"! (Thomas Koenig) Risky Business: Virgin Galactic (William Langewiesche) Book: Peter Carey, Amnesia (PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: 1 April 2015 From: "Peter G. Neumann" <neumann () csl sri com> Subject: The Apple zero-button mouse -- and related innovations? I just stumbled on to this item: CUPERTINO, CA, April 1, 2015 -- Apple, Inc. (NASDAQ: AAPL) today announces the ultimate refinement in pointer technology: the zero-button mouse. "We found that the button was confusing users," said Sir Jonathan Ive, Vice President of Design. The zero-button mouse uses a flexible antenna, which Apple calls the tail. In order to left click, the user grabs the mouse by the tail, and swings it to the left. Right clicking is similar, but swinging to the right. Scrolling is accomplished by swinging the mouse towards or away from the user. The zero-button mouse is available in three collections: Apple Zero Mouse Sport in aluminum, Apple Zero Mouse in stainless steel, and the Apple Zero Mouse Edition, 18-carat gold. A white rubber tail is standard, but optional tails are available in black and red leather, titanium mesh, and carbon fiber. Pricing and Availability: All models and tails are available for purchase starting today, April 1, 2015. Pricing for the Zero Mouse Sport is $34.95, the Zero Mouse is $49.95, and the Zero Mouse Edition is $995.00. The leather tails are $14.95 each, the titanium mesh tail $24.95, and the carbon fiber tail is $799.95. WATCH for this one!! With this innovation, the era of button-down mice seems to be ending (somewhat like shirts?), despite seemingly regressively replacing the one-button, two-button, and three-button mouse. It is rumored that Microsoft is planning a competing voice-operated no-button mouse, albeit possibly with a built-in optional keyboard for people with small fingers. Google is expected to compete with its own autonomouse, which can move (autonomousely) *without* user control -- or if a user is particularly gifted, with perceptive mind control -- in either case, proactively anticipating user intent, and automatically avoiding collisions and interference with any other user's mouse. The potential risks are left as an exercise to the reader. PGN ------------------------------ Date: Sun, 29 Mar 2015 16:44:52 -0400 From: Jeremy Epstein <jeremy.j.epstein () gmail com> Subject: No liability for exchange rate software error by United US Department of Transportation has informed United that it's not going to force them to honor the airfares that were posted on their website, because it was the fault of a third-party currency conversion site. This seems to me a dangerous precedent (although airlines have previously tried to wiggle out of honoring prices on their websites when they've claimed software or data entry errors). Will other merchants be able to retroactively cancel orders (or change prices) if they find software errors that mean they don't have adequate profit (or cause losses)? Would United generously refund overpayments if the software had overcharged people who paid in particular currencies or particular websites? "On February 11, 2015, a currency exchange-rate error in 3rd party software supplied to United affected several thousand bookings on United's Denmark-facing website. Specifically, this error temporarily caused flights originating in the United Kingdom and denominated in Danish Kroners (DKK) to be presented at only a fraction of their intended prices. While United filed fares correctly, this software error caused amounts charged to be significantly lower than prices offered through all other distribution channels or available in any other currency." http://www.united.com/web/en-US/content/travel/exchange-rate-error.aspx?v_ctrk=HHLN$0-202-7697-1-5798 ------------------------------ Date: Mon, 30 Mar 2015 11:56:32 +1030 From: William Brodie-Tyrrell <william.brodie.tyrrell () gmail com> Subject: Digital currency risks Yet another crypto-currency exchange is cracked and emptied, and the usual causes -- a Dunning-Kruger-esque ignorance of security principles applied to Other People's Money -- are to blame. The interesting part here, other than that it wasn't a deliberate market exit aka "abscond with the deposits", is the full disclosure that you'd never see from a larger financial institution: https://www.allcrypt.com/blog/2015/03/what-happened-and-whats-going-on/ While cryptocurrencies are attractive to some because of their lack of governmental control, a lack of oversight on exchanges is clearly costing customers real money. There are strict financial-services regulations already in-place throughout the west and maybe they should be enforced. Here's the worst of both worlds: easily-digitally-stealable cash with the full backing of a national government. Not only that, the block-chain means your cash-transaction history is visible to the issuing government and probably publicly too. http://mobile.reuters.com/article/idUSKBN0M82KB20150312?irpc=932 The only upside is that this may be a way to introduce macro-economic controls (manual control over the minting rate) to cryptocurrencies and thereby avoid the deflationary nature that makes BTC useless as a unit of account. William Brodie-Tyrrell http://www.brodie-tyrrell.org/ ------------------------------ Date: Sun, 29 Mar 2015 14:59:24 +0100 From: Chris Drewe <e767pmk () yahoo co uk> Subject: Fraudster escapes jail by forging bail e-mail RISKS readers will be familiar with phishing attempts using phony but realistic-looking URLs and e-mail addresses (e.g. "following our computer upgrade at Midland Bank, you need to go to mid1andbank.com and enter your credit card details"), but there was an item in yesterday's newspaper (Mar 28th, 2015) about a prisoner who got out of Wandsworth Jail in south London, UK, by forging correspondence granting him bail in exactly this way: In summary, the article says that he set up false but official-looking e-mail addresses, then created his own bail documents. *The Telegraph*, 28 March 2015 http://www.telegraph.co.uk/news/uknews/crime/11500973/Fraudster-escapes-from-one-of-Britains-most-secure-prisons-by-forging-letter-granting-him-bail.html
He set up an email domain imitating Her Majesty's Court Service (HMCTS) that used hyphens instead of 'dots' to say Southwark Crown Court had rubber-stamped his bail on March 10, 2014. Moore managed to secure his release when staff failed to spot the subtle difference and misspelled court name 'Southwalk'.
------------------------------ Date: Wed, 25 Mar 2015 08:09:13 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Manipulating Wikipedia to Promote a Bogus Business School (Newsweek) Newsweek via NNSquad http://www.newsweek.com/2015/04/03/manipulating-wikipedia-promote-bogus-business-school-316133.html In 2013, IIPM got an unexpected boost for its page. A new initiative launched by Jimmy Wales's Wikimedia Foundation offered free access to Wikipedia from mobile phones. The program, Wikipedia Zero, launched in India and other parts of the developing world, including Thailand, Myanmar, Morocco, Ghana and Malaysia. "In my opinion, by letting this go on for so long, Wikipedia has messed up perhaps 15,000 students' lives," Peri says. "They should have kept track of Wifione and what they were doing--they were just so active." The Wikimedia Foundation is apologetic but won't be offering compensation. In a statement, it said, "The Wikimedia Foundation was very disappointed to hear of the allegations of fraud committed by IIPM and Wifione. If true, it was a tremendous violation of the trust and good faith of our editors and readers. We will continue to work to support our editors and administrators in serving as a vigilant defense against such incidents and in hopes that they can prevent future incidents like this from occurring." ------------------------------ Date: Tue, 31 Mar 2015 08:32:01 -0400 (EDT) From: danny burstein <dannyb () panix com> Subject: DDoS against Rutgers University, and perpetrator claims credit Rutgers network crumples under siege by DDoS attack [Rutgers student newspaper] The Rutgers network came under a Distributed Denial of Service (DDoS) attack beginning on March 27 and ending on March 30, according to an email sent by Don Smith, vice president and chief intelligence officer for the University's Office of Information Technology. The incident, which knocked out access to RUWireless and RUWireless Secure, the school's Internet networks, as well as Sakai, the University's online learning platform, among other sites, was the third DDoS attack allegedly committed by an individual hacker since the first occurrence on Nov. 19, 2014. [...] During the DDoS attack in November, 40,000 web robots, or "bots," originating from Eastern Europe and China flooded the network, dismantling the class web registration system when first-year students were scheduled to enroll in classes for the upcoming spring semester, according to the article. [...] "A while back you had an article that talked about the DDoS attacks on Rutgers," the email read. "I'm the one who attacked the network [...] This might make quite an interesting story ... I will be attacking the network once again at 8:15PM EST. You will see sakai.rutgers.edu offline." rest: http://www.dailytargum.com/article/2015/03/rutgers-network-crumples-under-siege-by-ddos-attack ------------------------------ Date: Wed, 25 Mar 2015 16:36:26 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: FTC Rules Jerk, LLC and John Fanning Deceived Consumers, Violated FTC Act The Federal Trade Commission has granted summary decision against the operators of Jerk.com, a website that billed itself as `the anti-social network' website. The Commission found that the operators Jerk, LLC and John Fanning misled consumers by claiming that content on the website was posted by other users. Instead, most of the content came from Facebook profiles mined by the operators. https://www.ftc.gov/news-events/press-releases/2015/03/ftc-rules-jerk-llc-john-fanning-deceived-consumers-violated-ftc?utm_source=govdelivery It's shocking that someone misused social media information, and that a website selling bogus "memberships" was stopped. But those are surely unique events and won't happen again on our always safe and comforting intertubes. Gabriel Goldberg, Computers and Publishing, Inc. gabe () gabegold com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 ------------------------------ Date: Fri, 27 Mar 2015 12:05:46 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Washington is coming for your personal data" (Caroline Craig) Caroline Craig, InfoWorld, 27 Mar 2015 Little-noticed change to judicial rules gives the FBI greater powers to conduct remote searches, and the 'zombie bill': CISA is on the fast track to a Senate vote. http://www.infoworld.com/article/2902611/government/washington-is-coming-for-your-personal-data.html ------------------------------ Date: Thu, 26 Mar 2015 21:36:56 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Dell support tool put PCs at risk of malware infection" (Lucian Constantin) Lucian Constantin, InfoWorld, 25 Mar 2015 Weak authentication in Dell's System Detect utility could have enabled drive-by malware attacks http://www.infoworld.com/article/2901385/security/dell-support-tool-put-pcs-at-risk-of-malware-infection.html ------------------------------ Date: Thu, 26 Mar 2015 21:38:09 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Cisco IP phones open to remote eavesdropping, calling" (Lucian Constantin) Lucian Constantin, InfoWorld, 23 Mar 2015 An authentication flaw allows attackers to listed to audio streams and make calls from Cisco SPA 300 and 500 IP phones http://www.infoworld.com/article/2899710/mobile-technology/cisco-ip-phones-open-to-remote-eavesdropping-calling.html ------------------------------ Date: Thu, 26 Mar 2015 15:44:55 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Australia passes data retention into law IT News AU via NNSquad http://www.itnews.com.au/News/402127,australia-passes-data-retention-into-law.aspx Law enforcement agencies will need to apply for warrants to access a journalist's metadata for the purpose of identifying a source. All other citizen metadata will be open to access without a warrant. Telcos and internet service providers will now have 18 months to prepare their systems and processes for the scheme, which has been forecast to cost between $188.8 million and $319.1 million to set up, and around $4 per customer per year to maintain. They will be required to store the non-content data of all customers for a two-year period to aid law enforcement agencies in criminal investigations. Telcos and ISPs are not restricted in where they can store the data. The metadata list will include, among other things: names, addresses, birthdates, financial and billing information of internet and phone account holders; traffic data such as numbers called and texted, as well as times and dates of communications; when and where online communications services start and end; a user's IP address; type and location of communication equipment; and upload and download volumes. - - - Going downhill fast down under. ------------------------------ Date: Thu, 26 Mar 2015 21:31:44 +0000 (UTC) From: Doug Montalbano <doug_montalbano () yahoo com> Subject: Re: Jurisdictional risks (RISKS-28.56) I understand the political point Brodie-Tyrell is making. But, as the section "Policing the Twenty-First Century" in Marc Goodman's Future Crimes points out, (hypocrisy notwithstanding) how to police in a world that is now without borders is a major problem. [I pointed to Goodman's book (the subtitle of which is Everything is Connected) in RISKS-28.43 and 28.53. PGN] ------------------------------ Date: Thu, 26 Mar 2015 17:26:32 +0000 From: Ian Jackson <ijackson () chiark greenend org uk> Subject: Re: Kali Linux security is a joke! (RISKS-28.56) Like most Debian derivatives, Kali relies on the PGP-based archive signing system built into the Debian package distribution protocols. Observe: http://ftp.hands.com/kali-security/dists/kali/Release http://ftp.hands.com/kali-security/dists/kali/Release.gpg This is a much better arrangement than relying on TLS (https) in almost all important respects: The public key used by apt-get on a Debian derivative to verify the software updates is a dedicated archive signing key, controlled by the Debian derivative itself. So unlike TLS, which relies on CAs, the kali archive signing system cannot be subverted by third parties. Furthermore, key rollover is straightforward: the new public key can be distributed in a software update. This bespoke arrangement provides much better integrity protection. It also has operational advantages: it is much easier to run a mirror network. Mirrors do not need to be enrolled into a certificate scheme and granted authority to subvert users' machines. Instead, mirrors simply redistribute the signatures made by the distribution itself. TLS is a much worse protocol than PGP in general - it is much messier and has many more opportunities for implementation and configuration errors. The mirror does have some ability to perform a rollback attack, but the impact is limited to delaying updates, rather than rewinding target systems, because the software update mechanism does not downgrade packages unless specifically asked by the user. Deploying TLS for mirrors would be useful to help protect the privacy of users: it would make it harder to for an eavesdropper to discern which packages a particular computer has installed, and would impede some network-based rollback attacks. Debian itself has been discussing these concerns.
What's the point of verifying md5 sums against "official values", if Kali can't even get the "official values" securely ??
This response seem really knee-jerk. Rather than immediately assuming the worst, just because someone isn't using TLS, it would have been worth double-checking. It seems that Henry Baker would, if asked to design a software update mechanism, rely on TLS for the software integrity protection. For the reasons explained above this would be a poor decision. [Be sure to read the paper by Benjamin Beurdouche et al., A Messy State of the Union: Taming the Composite State Machines of TLS, which will be presented in the IEEE Symposium on Security and Privacy, 18-20 May, which fairly demolishes half a dozen TLS implementations -- because they each have remarkable unexpected behaviors resulting from the composition of the client side and the server side. Indeed, Everything is Connected, but often with nasty results. (See the previous item.) PGN] ------------------------------ Date: Thu, 26 Mar 2015 10:44:54 -0400 From: Devon McCormick <devonmcc () gmail com> Subject: Re: House Judiciary Committee tries to be cool, fails oh so miserably The page may look amateurish but consider the sub-text: many images of pretty, mostly blonde, women on a page about enforcing immigration laws. What's the real message here? ------------------------------ Date: Wed, 25 Mar 2015 18:34:53 -0700 From: Rob Slade <rmslade () shaw ca> Subject: Re: As We Age, Smartphones Don't Make Us Stupid ... (RISKS-28.57)
In general, the students who did not use computers did better than those who did.
This doesn't surprise me in the least. I used to tell my students that all the exams (in courses I taught for colleges and universities) were open book. I don't tell them that any more. My exams are written to test for understanding, not rote memorization. You can't find the answer on page 42. It just got to be too painful watching the unprepared stagger in with piles of books, and then spend the entire exam period flipping pages, trying vainly to find things they'd never bothered to learn during the course. (Since they'd never bothered to learn them, they had no idea where they were in the book, either.) rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org The dictionary is the only place where success comes before work. Mark Twain victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ ------------------------------ Date: Thu, 26 Mar 2015 12:23:10 +1100 From: "Craig Burton" <Craig.Burton () vec vic gov au> Subject: Re: "GoDaddy accounts vulnerable to social engineering and Photoshop" (Ragan, RISKS-28.57) I read with interest the GoDaddy social engineering success. It seems the missing step is actually something that verifies the ID document content. My government has fairly recently deployed a central personal information oracle. http://www.dvs.gov.au/Pages/default.aspx I am sure other such services exist in other countries but I would expect larger countries than Australia may have more trouble consolidating data. I assume if this were available to GoDaddy the call agent would get a DVS fail on the driver license name and number together. ------------------------------ Date: Fri, 27 Mar 2015 08:16:37 +0100 From: Thomas Koenig <tkoenig () netcologne de> Subject: Re: Software says "'Dr' Must Be Male"! PGN wrote:
[In Germany, if her husband were also a Dr, she would be Frau Doktor Doktor Selby, and presumably German software would have no problem with that. PGN]
This usage was quaint forty years ago, and is non-existent now, except for a few lame jokes. It is certainly against the law in Germany to claim to be a Dr. if you are not entitled to it. The RISK? Continuing to rely on outdated assumptions without checking if they still apply. [Similarly noted by Drew Dean, who remarked that Germans have been amused that Austrians still observed this `quaint' custom. Mea Culpa. Yes, I'm remembering fifty-five years ago, when the wife of the Darmstadt lab director Herr Dr Professor Alwin Walther was routinely referred to as Frau Dr Dr Walther (because she was also a Dr). I'm happy to know that this academic honorific is no longer practiced. PGN] ------------------------------ Date: Wed, 25 Mar 2015 9:14:16 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Risky Business: Virgin Galactic (William Langewiesche) William Langewiesche, "Risky Business", *Vanity Fair*, April 2015, p. 180 "More than 700 people have paid up to $250,000 for a ride on Richard Branson's Virgin Galactic. In this excerpt from 'Vanity Fair's' April 2015 article about the mogul's risky business, William Langewiesche details the particulars about Virgin Galactic's trip to space." http://www.vanityfair.com/news/2015/03/what-is-it-like-to-fly-virgin-galactic ------------------ Date: Sun, 29 Mar 2015 10:40:19 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Book: Peter Carey, Amnesia Peter Carey, Amnesia, Alfred A. Knopf, 2015, 307 pp. (From a publisher blurb) ``The two-time Booker Prize winner now gives us an exceedingly timely, exhilarating novel -- at once dark, suspenseful, and seriously funny -- that journeys to the place where the cyber underworld collides with international power politics. ... Bringing together the world of hackers and radicals with the `special relationship' between the United States and Australia, and Australia and the CIA, Amnesia is a novel that speaks powerfully about the often hidden past, but most urgently about the more and more hidden present.'' [It certainly seems timely and topical. Note: My wife loved it. PGN] [Spoiler alert: The plot line in this book automates the get-out-of-jail process noted in Chris Drewe's item earlier in this issue, and scales it up extensively -- ending up with a large-scale remote e-release of prisoners. PGN] ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.58 ************************
Current thread:
- Risks Digest 28.58 RISKS List Owner (Mar 31)